The Internet Of Things Is Great But It Presents A New Level Of Security Risk – Chuck Leaver

Written By David Shefter And Presented By Ziften CEO Chuck Leaver


We are now residing in a brand-new world of the Internet of Things (IoT), and the risk of cyber hazards and attacks grow significantly. As deployments progress, new vulnerabilities are appearing.

Symantec released a report this spring which examined 50 smart house devices and declared “none of the examined devices provided shared authentication between the client and the server.” Previously this summer, analysts demonstrated the ability to hack into a Jeep while it was cruising on the highway, initially controlling the radio, windscreen wipers, cooling and finally cutting the transmission.

Typically, toys, tools, appliance, and automobile makers have not had to secure against external hazards. Producers of medical devices, elevators, A/C, electric, and plumbing infrastructure parts (all of which are most likely to be linked to the Internet in the coming years) have not always been security minded.

As we are all aware, it is tough enough daily to secure computers, mobile phones, servers, as well as the network, which have been through considerable security checking, reviews and assessments for years. How can you secure alarms, individual electronics, and house devices that apparently come out daily?

To start, one must define and consider where the security platforms will be deployed – hardware, software, network, or all the above?

Solutions such as Ziften pay attention to the network (from the device point of view) and use advanced machine-type learning to identify patterns and scan for abnormalities. Ziften presently provides a global threat analytics platform (the Ziften KnowledgeCloud), which has feeds from a variety of sources that makes it possible for evaluation of 10s of millions of endpoint, binary, MD5, etc data today.

It will be an obstacle to deploy software onto all IoT devices, much of which utilize FPGA and ASIC designs as the control platform(s). They are normally included into anything from drones to automobiles to commercial and scada control systems. A large number of these devices operate on solid-state chips without a running os or x86 type processor. With inadequate memory to support sophisticated software, many simply can not support modern-day security software applications. In the world of IoT, extra modification creates danger and a vacuum that strains even the most robust services.

Solutions for the IoT area need a multi-pronged technique at the endpoint, which includes desktops, laptops, and servers presently integrated with the network. At Ziften, we currently deliver collectors for Windows, Linux, and OS X, supporting the core desktop, server, and network infrastructure that contains the intellectual property and assets that the assailants seek to obtain access to. After all, the criminals do not really want any info from the business fridge, however simply want to use it as a conduit to where the valuable data resides.

However, there is an extra technique that we provide that can help minimize lots of existing issues: scanning for anomalies at the network level. It’s believed that typically 30% of devices linked to a business network are unidentified IP’s. IoT patterns will likely double that number in the next 10 years. This is one of the reasons that linking is not always an obvious choice.

As more devices are linked to the Internet, more attack surfaces will emerge, leading to breaches that are far more damaging than those of e-mail, financial, retail, and insurance – things that might even present a risk to our way of living. Protecting the IoT has to make use of lessons gained from traditional enterprise IT security – and offer numerous layers, integrated to supply end-to-end robustness, efficient in preventing and detecting dangers at every level of the emerging IoT value chain. Ziften can assist from a wide variety of angles today and in the future.


Chuck Leaver – Don’t Let Security Blindspots Make You Prone To Attacks Use Ziften ZFlow

Written By Andy Wilson And Presented By Chuck Leaver CEO Ziften


Over the past number of years, many IT companies have actually embraced using NetFlow telemetry (network connection metadata) to enhance their security posture. There are numerous reasons behind this: NetFlow is relatively economical (vs. complete packet capture); it’s fairly easy to gather as most Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s easy to analyze using freeware or commercially available software applications. NetFlow can assist conquer blind spots in the architecture and can provide much needed visibility into what is truly going on in the network (both internal and external). Flow data can likewise help in early detection of attacks (DoS and APT/malware) and can be used in baselining and anomaly detection techniques.

NetFlow can supply insight where little or no visibility exists. Most companies are collecting flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be accounted for – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the data center. The majority of companies are not routing all the way to the access layer and are hence typically blind to some extent in this segment of the network.
Performing full packet capture in this area is still not 100% practical due to a variety of factors. The answer is to implement endpoint-based NetFlow to restore visibility and offer very important additional context to the other flows being gathered in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop, or server), so it’s not dependent on the network infrastructure to generate. ZFlow offers conventional ISO layer 3/4 data such as source and destination IP addresses and ports, however likewise offers extra valuable Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for kicking off the executable, and whether it was in the foreground or background. The latter are very important information that network-based flows simply can not provide.

This essential additional contextual data can assist considerably lower occurrences of false positives and offer abundant data to analysts, SOC workers and incident handlers to allow them to rapidly examine the nature of the network traffic and identify if it’s harmful or benign. Used in conjunction with network-based notifications (firewall, IDS/IPS, web proxies and gateways), ZFlow can drastically reduce the quantity of time it requires to overcome a security incident. And we understand that time to spot destructive habits is a crucial factor to how effective an attack ends up being. Dwell times have reduced in recent history but are still at unacceptable levels – presently over 230 days that an assailant can stroll undiscovered through your network gathering your crucial data.

Below is a screenshot that shows a port 80 connection to a Web destination of Fascinating realities about this connection that network-based tools might miss is that this connection was not initiated by an Internet browser, however rather by Windows Powershell. Another intriguing data point is that this connection was initiated by the ‘System’ account and not the logged-in user. These are both extremely attention-grabbing to a security expert as it’s not a false positive and most likely would require much deeper examination (at which point, the expert could pivot into the Ziften console and see deeper into that system’s habits – what actions or binaries were initiated prior to and after the connection, procedure history, network activity and more).
zflow3Ziften’s ZFlow shines a light on security blindspots and can offer the additional endpoint context of processes, application and user attribution to help security personnel better comprehend what is actually happening in their environment. Combined with network-based events, ZFlow can assist dramatically reduce the time it requires to investigate and respond to security notififications and significantly enhance an organization’s security posture.

A New Path For Endpoint Security Has Been Taken Because Blocking And Prevention Are Not Enough – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


Standard endpoint security solutions, some of which have actually been around for over 20 years, rely greatly on the exact same defense techniques every year. Although there is constantly development and strides to enhance, the underlying issue still exists. Dangers will always find a way into your organization. And for the most part, you will need to wait till your implemented service finally finds the risk prior to you even can start to evaluate the damage and perhaps avoid it from occurring once again (as soon as you get all the relevant information to make that informed decision, obviously). Another drawback to these technologies is that they frequently create a substantial performance burden on the actual device they are safeguarding. This in turn results in dissatisfied end-users and other problems such as management and reliability.

But this blog site is not about deserting your existing solution, but rather enhancing and empowering your overall security posture. Organizations have to move towards and embrace those services that use constant monitoring and complete visibility of all activity occurring on their endpoint population. Stopping or preventing known malware from running is certainly important, however does not have the total security needed in today’s threat landscape. The capability to run much deeper forensics from current or sometimes more importantly, past events, can really only be done by services that provide constant monitoring. This info is very important in examining the damage and understanding the scope of the infection within your company.

This, of course, has to be done effectively and with a minimal amount of system overhead.

Just as there are lots of solutions in the traditional endpoint security area, a brand-new league of suppliers is popping up in this crucial action of the evolution. Most of these companies have workers from the ‘old guard’ and comprehend that a new vision is needed as the hazard landscape continues to alter. Just reporting and informing on only bad things is entirely missing the point. You MUST take a look at everything, everyone and all behaviors and actions in order to provide yourself the best opportunity of responding quickly and completely to risks within your organization.

By using solutions that fall into this “New Path of Endpoint Security” world, Security Ops or Incident Responders within the company will have the much required visibility they have actually been craving. We hear this constantly from our customers and potential customers and are doing our best to offer the systems that help safeguard everyone.

Find Superfish With The Ziften App For Splunk – Chuck Leaver

Written By Ryan Hollman And Presented By Chuck Leaver CEO Ziften

Background Details: Lenovo confessed to pre installing the Superfish adware on some consumer PCs, and unhappy consumers are now dragging the company to court on the matter said PCWorld. A proposed class action suit was submitted late the previous week against Lenovo and Superfish, which charges both companies with “deceptive” business practices and of making Lenovo PCs susceptible from man in the middle attacks by pre installing the adware.

Having concerns finding Superfish throughout your enterprise? With the Ziften App for Splunk, you can discover contaminated endpoints with an uncomplicated Splunk search. Simply browse your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish




The following image reveals the results you would see in your Ziften App for Splunk if systems were contaminated. In this specific circumstance, we discovered several systems infected with Superfish.






The above outcomes likewise refer to the binary “VirtualDiscovery.exe”. As it turns out, this is the core process responsible for the infections. Along with the Superfish root certificate and VirtualDiscovery.exe binary, this software likewise puts down the following to the system:

A computer registry entry in:


INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be achieved on an endpoint directly from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see results similar to the following image. If the system is tidy, you will see no outcomes.


Some researchers have actually mentioned that you can just eliminate Superfish by getting rid of the root certificate revealed above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal treatment does not persist throughout reboots. Just eliminating the root cert does not work as VirtualDiscovery.exe will re-install the root cert after a reboot of the system.

The simplest method to get rid of Superfish from your system is to update Microsoft’s integrated autovirus software Windows Defender. Shortly after the general public became aware of Superfish, Microsoft upgraded Windows Defender to remediate Superfish.

Other remediation techniques exist, however updating Windows Defender is by far the easiest technique.


Watch Out For These Top 5 Suspicious User Endpoint Behaviours – Chuck Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Traditional security software applications are unlikely to spot attacks that are targeted to a particular organization. The attack code will most likely be remixed to evade known malware signatures, while fresh command and control infrastructure will be stood up to avert recognized blacklisted network contacts. Resisting these fresh, specific attacks requires protectors to identify more generic attack attributes than can be discovered in unlimited lists of known Indicators of Compromise (IoC’s) from formerly evaluated attacks.

Unless you have a time device to retrieve IoC’s from the future, known IoC’s won’t help with new attacks. For that, you have to be alert to suspicious habits of users or endpoints that could be a sign of ongoing attack activity. These suspicion-arousing behaviors won’t be as definitive as a malware signature match or IP blacklist hit, so they will require expert triage to confirm. Insisting upon conviction certainty prior to raising alerts suggests that new attacks will successfully evade your automatic defenses. It would be equivalent to a mom or dad overlooking suspicious child behavior without question till they get a call from the cops. You don’t desire that call from the FBI that your enterprise has been breached when due analyst focus on suspect habits would have supplied early detection.

Security analytics of observed user and endpoint behaviors looks to recognize characteristics of possible attack activity. Here we highlight some of those suspect behaviors by way of general description. These suspect behaviors work as cyber attack tripwires, signaling protectors to prospective attacks in progress.

Anomalous Login Activity

Users and organizational units display learnable login activity patterns that can be evaluated for anomalous departures. Abnormalities can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be examined for remote IP address and geolocation, and login entropy can be determined and compared. Non-administrative users logging into numerous systems can be observed and reported, as it differs from anticipated patterns.

Anomalous Work Habits

Working outside typical work hours or outside established patterns of work activity can be suspicious or a sign of insider threat activity or jeopardized credentials. Again, abnormalities might be either spatial or temporal in nature. The workload active procedure mix can likewise be analyzed for adherence to established workgroup activity patterns. Workloads may vary a bit, but have the tendency to be relatively consistent across engineering departments or accounting departments or marketing departments, and so on. Workload activity patterns can be machine learned and analytical divergence tests applied to identify behavioral abnormalities.

Anomalous Application Characteristics

Typical applications display fairly consistent characteristics in their image metadata and in their active procedure profiles. Significant departures from these observed activity standards can be indicative of application compromise, such as code injection. Whitelisted applications might be used by malware scripts in unlikely methods, such as ransomware utilizing system tools to remove volume shadow copies to stymie healing, or malware staging thieved data to disk, prior to exfiltration, with significant disk resource need.

Anomalous Network Activity

Typical applications exhibit reasonably consistent network activity patterns that can be learned and defined. Uncommon levels of network activity by uncommon applications are suspect because of that alone, as is unusual port activity or port scanning. Network activity at unusual times or with uncommon regularity (possibly beaconing) or unusual resource demand are likewise worthwhile of attention. Ignored network activity (user not present) need to always have a plausible description or be reported, specifically if observed in significant volume.

Anomalous System Fault Habits

Anomalous fault habits could be indicative of a vulnerable or revealed system or of malware that is consistently reattempting some failed operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are also worth keeping in mind, such as not running mandated security or backup agents, or constant faulting by those agents (resulting in a fault-restart-fault cycle).

When searching for Endpoint Detection and Response services, don’t have a false sense of security even if you have a big library of known IOCs. The most effective services will cover these leading 5 generic attack qualities plus a lot more.